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To whom it may concern, 

| have read the new Code of Practice, and have a number of comments and thoughts on it. 
Unfortunately, | have run out of time before completing my comments before | go on leave for a 
fortnight, so | thought I’d send what | have put down in this email. Apologies, that | have not 
completed the read through. 

General comments. 

References to ICO website --- There are too many references in the text to the ICO website. 
(And where links are necessary they should be to specific pages not just to the home page.) 
Examples — some of these are not as clear as they might be. 

Internal cross references — are these better as hyperlinks or page references. Need to consider 
whether or not people are more likely to be reading on a paper copy or electronic. (I’d suggest 
these are hyperlinks using page numbers (or section numbers) as the base.) 

Summary 

Page4: Bullet point 3: It would be good to have a link to a ‘dummy’ (or even template) DPIA. 
Page4: Bullet point 4: This might additionally mention the fact that rights issues could/should be 
managed in a DSA. 

PageS: Bullet point 1: This is well explained but the key that consent might be granted in the data 
collection phase may be helpful here, even if consent is not relied on as a the lawful basis for 
sharing. 

PageS: Bullet point 4: Seems to be just repeating what’s being said in the last bullet point of page 
4. 

Page9: Who is the “we” referred to in the heading? Suggest replace with “How should this code 
be used?” 

Page11: In the description of what the code does, there’s no mention of whether or not it 
actually explains (as opposed to “updates and reflects”) the changes in practical terms. 

p.12 Second box. The reality half of this box doesn’t really address the misconception statement. 
p.12 Third box. An additional benefit might be a piece of research which has an impact on policy 
which leads to better government provision of a service (or something.) 

p.13 First box. It could be made more explicit that ethical codes of research may expect consent 
to be gained even though it is not relied on as the lawful basis for sharing. 

p.13 Second box. Refers to a non-existent link. 

p.13 para under heading “The benefits of sharing” is pretty much a repetition of the information 
on p.12. 

p.14 small typo “decision making” => “decision-making” 

p.14 and p.15 almost all the examples here are around health. It would be good to have some 
other real world examples which commercial organisations might relate to. 

p.15 top box. | think it makes more sense to say “...that a person...” (rather than “...that the 
person...”) 

p.16 box, has no research examples from within academia. There should be some. 

p.21 Second bullet point in second group of bullets. There should be link to the ICO’s DPIA 
guidance. 

p.25 as noted above a data sharing agreement may act as (and be called) a licence). This 
paragraph might also note whether the ICO believes that a single DSA should be used for each 
‘dataset’ or might deal with a group of ‘datasets’ depending on circumstances. 


There’s also no guidance in this section as to who is best suited to initiating a DSA? The “data 
owner” or the “data recipient”? 

Would it be worthwhile including a template DSA? (Or a real life example?) 

p.27 What data items are we going to share? : This section needs to reflect on a situation where 
the ‘data recipient’ is also a ‘data stewardship organisation’, i.e., it provides access to the data to 
researchers who are not even members of staff of the data recipient organisation. 

p.27 In the second para under what is our lawful basis... the word could should be changed to 
should. It would be best practice to provide this. 

p.29 First sentence under heading uses the word regular. Regular is perhaps an unhelpful word 
here. Regular could mean every year, every five years or every decade. It would be better for the 
ICO to make a punt and recommend a real period. Biennially or every five years, etc., would be 
more precise (and helpful.) 

p.29 second bullet point under the heading has “to the people concerned” — presumably this 
should be the people who are in the data? 

p.35 The example here doesn’t really make sense as its written. It needs rewriting to be more 
explicit that the ‘victims’ are the people who’ve had information about them disclosed. 

p.36. The example might end with some explanation that personal information is not 
disclosed/shared unless in an emergency situation. Again this example is a little tenuous since it 
doesn’t explicitly say what the procedure was AND whether the procedure was lawful. 

p.39 First para. | know consent is an ordinary English word, but could it be spelled out what it 
means. (And in this case should this consent not only be clear, but properly informed?) 

p.39 (e) Can this paragraph say explicitly that PT is the usual lawful basis for research within 
Higher Education (and government)? 

p.38 Towards the bottom of the page: why is the word necessary enclosed within quotation 
marks. (ditto at the top of page 39). 

p. 39 First paragraph. | wonder whether something could be said here about cost. If | could 
achieve the purpose by a less obtrusive means, but at 10 times the cost, would that mean my 
original justification was ok or not? Would the answer be different if it was 50 times the cost? Or 
100? Etc. 

p.39 Para starting “you must tell individuals...” refers to somewhere later in the code, but isn’t 
explicit to where. 

p.39 The issues around special category/criminal offence data need some real life practical 
examples. (And criminal offence data is doubly tricky owing to the concept of spent criminal 
convictions.) 

If there is anything unclear or problematic please feel free to get in touch with me directly. | will 
be away from my desk until the 25 September. 

With all best wishes 


University of Essex 
Colchester CO4 3SQ 
United Kingdom 
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